Re: radius install problemo: help

[Nick Marino]

are you authenticating against unix or linux accounts?

- Original Message -
From: "mukhiya gurung" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 18, 2002 1:44 AM
Subject: radius install problemo: help


>
>
> **I get this error message when i ran this command radiusd -X:
>
>
> [root@dhcppc3 raddb]# radiusd -X
> Starting - reading configuration files ...
> reread_config:  reading radiusd.conf
> Config:   including file: /usr/local/etc/raddb/proxy.conf
> Config:   including file: /usr/local/etc/raddb/clients.conf
> Config:   including file: /usr/local/etc/raddb/snmp.conf
> Config:   including file: /usr/local/etc/raddb/sql.conf
> main: prefix = "/usr/local"
> main: localstatedir = "/usr/local/var"
> main: logdir = "/usr/local/var/log/radius"
> main: libdir = "/usr/local/lib"
> main: radacctdir = "/usr/local/var/log/radius/radacct"
> main: hostname_lookups = no
> read_config_files:  reading dictionary
> read_config_files:  reading clients
> read_config_files:  reading realms
> read_config_files:  reading naslist
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_auth = no
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
> main: user = "(null)"
> main: group = "(null)"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: proxy_requests = yes
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = no
> proxy: default_fallback = yes
> proxy: dead_time = 120
> security: max_attributes = 200
> security: reject_delay = 1
> main: debug_level = 0
> read_config_files:  entering modules setup
> Module: Library search path is /usr/local/lib
> Module: Loaded System
> unix: cache = yes
> unix: passwd = "/etc/passwd"
> unix: shadow = "(null)"
> unix: group = "/etc/group"
> unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
> unix: usegroup = no
> unix: cache_reload = 600
> HASH:  Reinitializing hash structures and lists for caching...
> rlm_unix:  You MUST specify a shadow password file!
> HASH:  unable to create user hash table.  disable caching and run debugs
> radiusd.conf[462]: unix: Module instantiation failed.
>
>
> ***When i ran the radtest command i get this error:
>
> [root@dhcppc3 raddb]# radtest test test localhost 0 testing123
> Sending Access-Request of id 166 to 127.0.0.1:1812
> User-Name = "test"
> User-Password = "\367\303#\n\007\322GS\254\025x\252\240\005\2017"
> NAS-IP-Address = dhcppc3
> NAS-Port-Id = "0"
> Re-sending Access-Request of id 166 to 127.0.0.1:1812
> User-Name = "test"
> User-Password = "\367\303#\n\007\322GS\254\025x\252\240\005\2017"
> NAS-IP-Address = dhcppc3
> NAS-Port-Id = "0"
> Re-sending Access-Request of id 166 to 127.0.0.1:1812
> User-Name = "test"
> User-Password = "\367\303#\n\007\322GS\254\025x\252\240\005\2017"
> NAS-IP-Address = dhcppc3
> NAS-Port-Id = "0"
> Re-sending Access-Request of id 166 to 127.0.0.1:1812
> User-Name = "test"
> User-Password = "\367\303#\n\007\322GS\254\025x\252\240\005\2017"
> NAS-IP-Address = dhcppc3
> NAS-Port-Id = "0"
> Re-sending Access-Request of id 166 to 127.0.0.1:1812
> User-Name = "test"
> User-Password = "\367\303#\n\007\322GS\254\025x\252\240\005\2017"
> NAS-IP-Address = dhcppc3
> NAS-Port-Id = "0"
> Re-sending Access-Request of id 166 to 127.0.0.1:1812
> User-Name = "test"
> User-Password = "\367\303#\n\007\322GS\254\025x\252\240\005\2017"
> NAS-IP-Address = dhcppc3
> NAS-Port-Id = "0"
> Re-sending Access-Request of id 166 to 127.0.0.1:1812
> User-Name = "test"
> User-Password = "\367\303#\n\007\322GS\254\025x\252\240\005\2017"
> NAS-IP-Address = dhcppc3
> NAS-Port-Id = "0"
> Re-sending Access-Request of id 166 to 127.0.0.1:1812
> User-Name = "test"
> User-Password = "\367\303#\n\007\322GS\254\025x\252\240\005\2017"
> NAS-IP-Address = dhcppc3
> NAS-Port-Id = "0"
> Re-sending Access-Request of id 166 to 127.0.0.1:1812
> User-Name = "test"
> User-Password = "\367\303#\n\007\322GS\254\025x\252\240\005\2017"
> NAS-IP-Address = dhcppc3
> NAS-Port-Id = "0"
> Re-sending Access-Request of id 166 to 127.0.0.1:1812
> User-Name = "test"
> User-Password = "\367\303#\n\007\322GS\254\025x\252\240\005\2017"
> NAS-IP-Address = dhcppc3
> NAS-Port-Id = "0"
> radclient: no response from server
>
>
> Can Someone please advise be on what i am doing wrong or what needs to
fixed
> ?
>
> thanks
>
> Mike  ([EMAIL PROTECTED])
>
>
> ___

Re: Cisco accounting

[Victor Sanchez]

i have 2 cisco ( 3620 and AS5300) with freeradius 0.5 and accounting work fine.

the config of cisco are.

aaa accounting send stop-record authentication failure
aaa accounting delay-start
aaa accounting update periodic 1
aaa accounting network default start-stop group radius


radius-server host 192.168.0.4 auth-port 1645 acct-port 1646 key 7 X
radius-server retransmit 3


and work fine. 

whis that this help you.

- Original Message - 
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 18, 2002 5:05 AM
Subject: Cisco accounting


> I recently installed freeradius 0.7.1 on freebsd4.6 and authentication is
> working just fine. But accounting only works on Foundry and not Cisco. I'm
> not sure if anyone has experienced this in the pass. Any help is
> appreciated.
> 
> Regards
> Mathias,
> 
> 
> DISCLAIMER
> This e-mail is intended only for the use of the addressees named above and
> may be confidential. If you are not an addressee you must not read it and
> must not use any information contained in nor copy it nor inform any person
> other than TeleCity Limited or the addressees of its existence or contents.
> If you have received this email and are not a named addressee, please delete
> it and notify the TeleCity IT department on 0161 226 7643 or by email at
> [EMAIL PROTECTED]
> 
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radius install problemo: help

[mukhiya gurung]

**I get this error message when i ran this command radiusd -X:


[root@dhcppc3 raddb]# radiusd -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/proxy.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
Config:   including file: /usr/local/etc/raddb/snmp.conf
Config:   including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
read_config_files:  reading dictionary
read_config_files:  reading clients
read_config_files:  reading realms
read_config_files:  reading naslist
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
security: max_attributes = 200
security: reject_delay = 1
main: debug_level = 0
read_config_files:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded System
unix: cache = yes
unix: passwd = "/etc/passwd"
unix: shadow = "(null)"
unix: group = "/etc/group"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
HASH:  Reinitializing hash structures and lists for caching...
rlm_unix:  You MUST specify a shadow password file!
HASH:  unable to create user hash table.  disable caching and run debugs
radiusd.conf[462]: unix: Module instantiation failed.


***When i ran the radtest command i get this error:

[root@dhcppc3 raddb]# radtest test test localhost 0 testing123
Sending Access-Request of id 166 to 127.0.0.1:1812
User-Name = "test"
User-Password = "\367\303#\n\007\322GS\254\025x\252\240\005\2017"
NAS-IP-Address = dhcppc3
NAS-Port-Id = "0"
Re-sending Access-Request of id 166 to 127.0.0.1:1812
User-Name = "test"
User-Password = "\367\303#\n\007\322GS\254\025x\252\240\005\2017"
NAS-IP-Address = dhcppc3
NAS-Port-Id = "0"
Re-sending Access-Request of id 166 to 127.0.0.1:1812
User-Name = "test"
User-Password = "\367\303#\n\007\322GS\254\025x\252\240\005\2017"
NAS-IP-Address = dhcppc3
NAS-Port-Id = "0"
Re-sending Access-Request of id 166 to 127.0.0.1:1812
User-Name = "test"
User-Password = "\367\303#\n\007\322GS\254\025x\252\240\005\2017"
NAS-IP-Address = dhcppc3
NAS-Port-Id = "0"
Re-sending Access-Request of id 166 to 127.0.0.1:1812
User-Name = "test"
User-Password = "\367\303#\n\007\322GS\254\025x\252\240\005\2017"
NAS-IP-Address = dhcppc3
NAS-Port-Id = "0"
Re-sending Access-Request of id 166 to 127.0.0.1:1812
User-Name = "test"
User-Password = "\367\303#\n\007\322GS\254\025x\252\240\005\2017"
NAS-IP-Address = dhcppc3
NAS-Port-Id = "0"
Re-sending Access-Request of id 166 to 127.0.0.1:1812
User-Name = "test"
User-Password = "\367\303#\n\007\322GS\254\025x\252\240\005\2017"
NAS-IP-Address = dhcppc3
NAS-Port-Id = "0"
Re-sending Access-Request of id 166 to 127.0.0.1:1812
User-Name = "test"
User-Password = "\367\303#\n\007\322GS\254\025x\252\240\005\2017"
NAS-IP-Address = dhcppc3
NAS-Port-Id = "0"
Re-sending Access-Request of id 166 to 127.0.0.1:1812
User-Name = "test"
User-Password = "\367\303#\n\007\322GS\254\025x\252\240\005\2017"
NAS-IP-Address = dhcppc3
NAS-Port-Id = "0"
Re-sending Access-Request of id 166 to 127.0.0.1:1812
User-Name = "test"
User-Password = "\367\303#\n\007\322GS\254\025x\252\240\005\2017"
NAS-IP-Address = dhcppc3
NAS-Port-Id = "0"
radclient: no response from server


Can Someone please advise be on what i am doing wrong or what needs to fixed 
?

thanks

Mike  ([EMAIL PROTECTED])


_
Chat with friends online, try MSN Messenger: http://messenger.msn.com


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MacOS X & FreeRADIUS (yet again)

[Philip Kearney]

On 9/17/02 5:55 AM, "Alan DeKok" <[EMAIL PROTECTED]> wrote:

> Philip Kearney <[EMAIL PROTECTED]> wrote:
>
>> I set cache = no in radiusd.conf and then did radiusd -X
> 
> No, that won't help.  You should also comment out the 'passwd',
> 'shadow', and 'group' configurations, too.

That works!  :-)

No seg-fault anymore and running radtest returns the proper Access-Accept or
Access-Reject messages for unknown users versus those defined on the
machine.

So basically it works great now! yay!  :-)

And now to summarise for anyone wanting to get it up and running on MacOS X:

--

0) download, unzip and untar freeradius.tar.gz

1) $ ./configure --disable-shared   (So static libraries are built)

2) Modify ./src/include/sysutmp.h to #undef HAVE_UTMP_H

3) Modify ./src/modules/rlm_pam/rlm_pam.c to change the include directive
from #include  to #include 

4) Modify ./src/modules/rlm_sql/drivers/rlm_sql_iodbc/sql_iodbc.c, line 214
to change the return type of that function to SQL_ROW so it matches the
function prototype in sql_iodbc.h.  One could also instead change the return
type to int in the header file sql_iodbc.h.

5) $ cd ./src

6) $ make

7) $ make install

8) Modify radiusd.conf as follows:

In the unix section:

8a) set "cache = no"
8b) set "cache_reload = 0"
8c) COMMENT OUT the "passwd =", "shadow =", and "group =" lines.
8d) Save changes and exit whatever editor you used to edit radiusd.conf.

9) Now run radiusd -X and test things out with radtest.

10) Assuming everything works, set up your clients.conf and other config
files as appropriate to suit your needs and set radiusd to run on boot and
you're done.

You now have FreeRADIUS running under MacOS X.

*Note: I did all of my ./configure and make, etc. under sudo.

--

As far as the mods I had to do, the config scripts should probably be
modified so that the default is static libraries when compiling under MacOS
X.  Also the config stuff should explicitly make sure that HAVE_UTMP_H is
NOT defined when compiling under MacOS X.

Then in rlm_pam.c someone can add an #if defined(MacOSX) or something
(whatever the makefile guys decide to define for when one is compiling on a
Mac) so that you have:

#if !defined(MacOSX)
#include 
#else /* MacOS X puts pam_appl.h in a different directory */
#include 
#endif

The last one in sql_iodbc.c/sql_iodbc.h is just a bug which should be caught
by more compilers.  The function returns an int not a SQL_ROW, it's plain to
see when looking at the source.  The header file sql_iodbc.h should be
corrected so the function prototype matches the function definition in the
source file.

With those simple mods to configure and two source files, MacOS X users
should be able to do like everyone else, ./configure; make; make install and
have FreeRADIUS running easily on any Mac booting MacOS X.

If someone then adds comments to radiusd.conf telling MacOS X users to set
cache to no and comment out the passwd, shadow, and group lines.  No one
trying to get radiusd to a testable state under MacOS X should have any
problems.

If/When the above changes are made so it just compiles and works on MacOS X,
let me know via e-mail and I'll download that rev of the source and test the
changes out.

That's about it.  FreeRADIUS works for me and I'm happy now.  :-)

All the best,

PK


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: New Question

[Nick Marino]

cool thanks for the info that helps alot. I though about just coping it all
to a temp dir and doing it then just coping it back if it got screwed up but
that probably would be better that way I would always have a archived backup
handy.

- Original Message -
From: "Kevin Bonner" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 17, 2002 9:58 PM
Subject: Re: New Question


Nick,

The Makefile is setup so that it won't overwrite your config files.  You
should be fine by running 'make install'.  If you're nervous of doing this,
just tar up your raddb directory so you have a way to undo what has been
done.

Kevin

On Tuesday 17 September 2002 22:39, Nick Marino wrote:
> Is there a way to upgrade to the lastest version of radius with out
> overwritting my current config files?
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: fradius] Re: User Lock Out

[Nick Marino]

well I still havent figured out how to control individual users times they
are alowed on the system and duration other than making everyone one
unlimited time.  I dont see where that is located either.

- Original Message -
From: "Tim McCracken" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 17, 2002 9:52 PM
Subject: RE: fradius] Re: User Lock Out


> I recently asked if Free Radius would recognize the Expiration-Date
> attribute and was told it would, so that should work.  It should send an
> Auth-Reject if the current date/time is later than the expiration date.
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Nick Marino
> Sent: Tuesday, September 17, 2002 9:37 PM
> To: [EMAIL PROTECTED]
> Subject: Re: fradius] Re: User Lock Out
>
>
> My original post was "is there anyway to do it in DIALUP ADMIN that comes
> with free radius to lock a user out other than chaning thier password".
>
> - Original Message -
> From: "R P Herrold" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, September 17, 2002 9:33 PM
> Subject: Re: fradius] Re: User Lock Out
>
>
> > On Tue, 17 Sep 2002, Nick Marino wrote:
> >
> > > dont see that anywhere in dialup admin, and I am using a sql database
> for
> > > auth not linux.
> >
> > Ahhh ... I have a presentation on the general topic of command
> > shell MySQL access (in part) at:
> >http://www.colug.net/notes/0208mtg/
> >
> > This code fragment should work ...
> >
> >
> > $select1 = "select passwdhash from usertable \
> > where userid = '$userid' \
> > limit 1";
> > $result1 = mysql_query($select1);
> > $row1 = mysql_fetch_assoc($result);
> > $t_passwdhash   = $row1["passwdhash"];
> > $t_passwdhash = "*20020917*" . $passwdhash;
> > $select2 = "update usertable set passwdhash = '$passwdhash' \
> > where userid = '$userid'";
> > $result2= mysql_query($select2);
> >
> >
> >  -- Russ Herrold
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radiusreport

[Nicholas Sim]

Dear all, 
 
We have configured the freeradius and it ran. 
But there's one problem.
We manage to come across the radiusreport programed by Mr Greg
But in order to run itwe need a detail file.
But we couldn't find a detail file in any of the folders.
And there's also nothing in the radacct folder.
Why? How ae we going to make radiusreport work?
Please help 
 
thanksJoin the world’s largest e-mail service with MSN Hotmail. Click Here

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco accounting

[Frank Cusack]

On Tue, Sep 17, 2002 at 10:03:42PM -0700, Frank Cusack wrote:
> So, as I said, this is not supported on Cisco w/ RADIUS.  Look at the
> Cisco docs, it says this explicitly.
> 
> ( cco->ios->12.2->security->aaa->accounting->command accounting ... I think)

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfacct.htm#xtocid10

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco accounting

[Frank Cusack]

On Wed, Sep 18, 2002 at 05:35:52AM +0100, [EMAIL PROTECTED] wrote:
> If someone logs in to a router and issue a command, this is recorded in a
> file. I currently use IOS 12.2 The following commands are configured on the
> Cisco router. 

So, as I said, this is not supported on Cisco w/ RADIUS.  Look at the
Cisco docs, it says this explicitly.

( cco->ios->12.2->security->aaa->accounting->command accounting ... I think)

> Foundry has the same config and is working as it should. Below is a snapshot
> of the file freeradius has generated for a Foundry.

So Foundry got it right.

There's no REASON it's not easily supportable; Cisco just chose not to
implement it I guess.  You should open a bug.

/fc

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Cisco accounting

[Mathias . Kenfack-Tabakem]

If someone logs in to a router and issue a command, this is recorded in a
file. I currently use IOS 12.2 The following commands are configured on the
Cisco router. 


 this
mailto:[EMAIL PROTECTED]]
Sent: 18 September 2002 05:09
To: [EMAIL PROTECTED]
Subject: Re: Cisco accounting


On Wed, Sep 18, 2002 at 04:05:58AM +0100,
[EMAIL PROTECTED] wrote:
> I recently installed freeradius 0.7.1 on freebsd4.6 and authentication is
> working just fine. But accounting only works on Foundry and not Cisco. I'm
> not sure if anyone has experienced this in the pass. Any help is
> appreciated.

Exactly what kind of accounting are you talking about here?  Cisco IOS
(up to 12.1 at least) does not support command accounting via RADIUS.
Other accounting should be supported but I have no further info on it.

/fc

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


DISCLAIMER
This e-mail is intended only for the use of the addressees named above and
may be confidential. If you are not an addressee you must not read it and
must not use any information contained in nor copy it nor inform any person
other than TeleCity Limited or the addressees of its existence or contents.
If you have received this email and are not a named addressee, please delete
it and notify the TeleCity IT department on 0161 226 7643 or by email at
[EMAIL PROTECTED]



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco accounting

[Frank Cusack]

On Wed, Sep 18, 2002 at 04:05:58AM +0100, [EMAIL PROTECTED] wrote:
> I recently installed freeradius 0.7.1 on freebsd4.6 and authentication is
> working just fine. But accounting only works on Foundry and not Cisco. I'm
> not sure if anyone has experienced this in the pass. Any help is
> appreciated.

Exactly what kind of accounting are you talking about here?  Cisco IOS
(up to 12.1 at least) does not support command accounting via RADIUS.
Other accounting should be supported but I have no further info on it.

/fc

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Cisco accounting

[Mathias . Kenfack-Tabakem]

I recently installed freeradius 0.7.1 on freebsd4.6 and authentication is
working just fine. But accounting only works on Foundry and not Cisco. I'm
not sure if anyone has experienced this in the pass. Any help is
appreciated.

Regards
Mathias,


DISCLAIMER
This e-mail is intended only for the use of the addressees named above and
may be confidential. If you are not an addressee you must not read it and
must not use any information contained in nor copy it nor inform any person
other than TeleCity Limited or the addressees of its existence or contents.
If you have received this email and are not a named addressee, please delete
it and notify the TeleCity IT department on 0161 226 7643 or by email at
[EMAIL PROTECTED]



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: New Question

[Kevin Bonner]

Nick,

The Makefile is setup so that it won't overwrite your config files.  You 
should be fine by running 'make install'.  If you're nervous of doing this, 
just tar up your raddb directory so you have a way to undo what has been 
done.

Kevin

On Tuesday 17 September 2002 22:39, Nick Marino wrote:
> Is there a way to upgrade to the lastest version of radius with out
> overwritting my current config files?
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: fradius] Re: User Lock Out

[Tim McCracken]

I recently asked if Free Radius would recognize the Expiration-Date
attribute and was told it would, so that should work.  It should send an
Auth-Reject if the current date/time is later than the expiration date.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Nick Marino
Sent: Tuesday, September 17, 2002 9:37 PM
To: [EMAIL PROTECTED]
Subject: Re: fradius] Re: User Lock Out


My original post was "is there anyway to do it in DIALUP ADMIN that comes
with free radius to lock a user out other than chaning thier password".

- Original Message -
From: "R P Herrold" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 17, 2002 9:33 PM
Subject: Re: fradius] Re: User Lock Out


> On Tue, 17 Sep 2002, Nick Marino wrote:
>
> > dont see that anywhere in dialup admin, and I am using a sql database
for
> > auth not linux.
>
> Ahhh ... I have a presentation on the general topic of command
> shell MySQL access (in part) at:
>http://www.colug.net/notes/0208mtg/
>
> This code fragment should work ...
>
>
> $select1 = "select passwdhash from usertable \
> where userid = '$userid' \
> limit 1";
> $result1 = mysql_query($select1);
> $row1 = mysql_fetch_assoc($result);
> $t_passwdhash   = $row1["passwdhash"];
> $t_passwdhash = "*20020917*" . $passwdhash;
> $select2 = "update usertable set passwdhash = '$passwdhash' \
> where userid = '$userid'";
> $result2= mysql_query($select2);
>
>
>  -- Russ Herrold
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

New Question

[Nick Marino]

Is there a way to upgrade to the lastest version of radius with out
overwritting my current config files?


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: fradius] Re: User Lock Out

[Nick Marino]

My original post was "is there anyway to do it in DIALUP ADMIN that comes
with free radius to lock a user out other than chaning thier password".

- Original Message -
From: "R P Herrold" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 17, 2002 9:33 PM
Subject: Re: fradius] Re: User Lock Out


> On Tue, 17 Sep 2002, Nick Marino wrote:
>
> > dont see that anywhere in dialup admin, and I am using a sql database
for
> > auth not linux.
>
> Ahhh ... I have a presentation on the general topic of command
> shell MySQL access (in part) at:
>http://www.colug.net/notes/0208mtg/
>
> This code fragment should work ...
>
>
> $select1 = "select passwdhash from usertable \
> where userid = '$userid' \
> limit 1";
> $result1 = mysql_query($select1);
> $row1 = mysql_fetch_assoc($result);
> $t_passwdhash   = $row1["passwdhash"];
> $t_passwdhash = "*20020917*" . $passwdhash;
> $select2 = "update usertable set passwdhash = '$passwdhash' \
> where userid = '$userid'";
> $result2= mysql_query($select2);
>
>
>  -- Russ Herrold
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: fradius] Re: User Lock Out

[R P Herrold]

On Tue, 17 Sep 2002, Nick Marino wrote:

> dont see that anywhere in dialup admin, and I am using a sql database for
> auth not linux.

Ahhh ... I have a presentation on the general topic of command
shell MySQL access (in part) at:
   http://www.colug.net/notes/0208mtg/

This code fragment should work ...


$select1 = "select passwdhash from usertable \
where userid = '$userid' \
limit 1";
$result1= mysql_query($select1);
$row1   = mysql_fetch_assoc($result);
$t_passwdhash   = $row1["passwdhash"];
$t_passwdhash   = "*20020917*" . $passwdhash;
$select2 = "update usertable set passwdhash = '$passwdhash' \
where userid = '$userid'";
$result2= mysql_query($select2);


 -- Russ Herrold


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: fradius] User Lock Out

[Nick Marino]

Am I in the wrong place?

I am not authenticating against linux users.

- Original Message -
From: "R P Herrold" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 17, 2002 9:23 PM
Subject: Re: fradius] User Lock Out


> On Tue, 17 Sep 2002, Nick Marino wrote:
>
> > Is there a way to lock a user out in Dialup Admin, other than changing
their
> > password?
>
>passwd -l userid
>
> see man passwd
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: fradius] User Lock Out

[R P Herrold]

On Tue, 17 Sep 2002, Nick Marino wrote:

> Is there a way to lock a user out in Dialup Admin, other than changing their
> password?

   passwd -l userid

see man passwd


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User Lock Out

[Nick Marino]

dont see that anywhere in dialup admin, and I am using a sql database for
auth not linux.
- Original Message -
From: "Marcin Groszek" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 17, 2002 9:11 PM
Subject: Re: User Lock Out


> Change the user shel to /dev/null.
>
>
> Nick Marino wrote:
>
> > Is there a way to lock a user out in Dialup Admin, other than changing
their
> > password?
> >
> > -
> > List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
> --
> Best Regards: Marcin Groszek
> Http://www.hostplus.net
> Where we offer:
> Server Co-location, Web Site Hosting and Internet Access.
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User Lock Out

[Marcin Groszek]

Change the user shel to /dev/null.


Nick Marino wrote:

> Is there a way to lock a user out in Dialup Admin, other than changing their
> password?
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--
Best Regards: Marcin Groszek
Http://www.hostplus.net
Where we offer:
Server Co-location, Web Site Hosting and Internet Access.




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Server Can't Authnticate Login

[Nick Marino]

could be the same problem I had which was I didnt have the auth-type set in
my NAS.

- Original Message -
From: "Ahmad S. Taneo" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 17, 2002 8:09 AM
Subject: Radius Server Can't Authnticate Login


> Hi!!!
>
> I am using freeradius-7.0  in a redhat 7.2 kernel of linux. I have
> successfully installed freeeradius and binded it to ldap. My problem is
> when i tried testing the radius server as a dial in server for remote
> pc, the portslave recognizes incoming call but somehow can't
> authenticate the login process. but when testing raidius server it gives
> an "Access-Accept" to the binded ldap server. I have checked log for
> radius and it seems it doesn't give any information at all. It's just
> that the connection died  somehow. I would appreciate any help you can
> give me from anyone of you out there..
>
> ahmadz
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

User Lock Out

[Nick Marino]

Is there a way to lock a user out in Dialup Admin, other than changing their
password?


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Fail to Start

[ho k]

Hi

It fails too.

# ./radiusd &
[1] 9782
MMPdb_DEV:/usr/local/sbin# Wed Sep 18 09:21:14 2002 :
Info: Starting - reading configuratio
n files ...

[1] +  Done./radiusd &

The freeradius-0.7 is running on solaris2.7 and it is
fine in debug mode "radiusd -X"

Thanks
K

 --- Ruslan Balkin <[EMAIL PROTECTED]> wrote: > On Tue,
17 Sep 2002 18:38:24 +0800 (CST)
> ho k wrote:
> 
> > Hi
> > I cannot run freeradius in backgroud. Everything
> seems
> > alright after enter "radiusd"
> > 
> > # ./radiusd
> radiusd &
> ?
> 
> -- 
> Balkin Ruslan
> 
> - 
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html 

___
Do You Yahoo!?
Get your free @yahoo.com.hk address at http://mail.english.yahoo.com.hk

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Windows XP/Cisco Catalyst/freeradius-snapshot-20020916

[Lim Sei Wei]

Here's the startup of radiusd -X -s

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
 main: prefix = "/usr/local"
 main: localstatedir = "/usr/local/var"
 main: logdir = "/usr/local/var/log/radius"
 main: libdir = "/usr/local/lib:/usr/lib:/lib"
 main: radacctdir = "/usr/local/var/log/radius/radacct"
 main: hostname_lookups = no
read_config_files:  reading dictionary
read_config_files:  reading clients
read_config_files:  reading realms
read_config_files:  reading naslist
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 1812
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/usr/local/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "yes"
 main: lower_pass = "yes"
 main: nospace_user = "yes"
 main: nospace_pass = "yes"
 main: proxy_requests = no
 security: max_attributes = 200
 security: reject_delay = 1
 main: debug_level = 0
read_config_files:  entering modules setup
Module: Library search path is /usr/local/lib:/usr/lib:/lib
Module: Loaded eap
 eap: default_eap_type = "md5"
 eap: timer_expire = 60
rlm_eap: Loaded and initialized the type md5
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
 preprocess: hints = "/usr/local/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = "/usr/local/etc/raddb/users"
 files: acctusersfile = "/usr/local/etc/raddb/acct_users"
 files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded detail
 detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/de
tail"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
 unix: cache = no
 unix: passwd = "/etc/passwd"
 unix: shadow = "/etc/shadow"
 unix: group = "/etc/group"
 unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 0
Module: Instantiated unix (unix)
Module: Loaded radutmp
 radutmp: filename = "/usr/local/var/log/radius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp.
Ready to process requests.

This freeradius snapshot is running on Solaris 8


On 9/17/02 6:03 PM, "Artur Hecker" <[EMAIL PROTECTED]> wrote:

> 
> 
> Lim Sei Wei wrote:
>> 
>> I have commented all the DEFAULT authtype examples in the file and this is
>> the only entry in there
>> myuser Auth-Type = Local, User-Password == "mypassword"
>> 
> 
> yes, and that's the problem, too :-) change it to:
> 
> myuser Auth-Type := Local, User-Password == "mypassword"
> 
> and try again please.
> 
> 
> regards,
> artur
> 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Windows XP/Cisco Catalyst/freeradius-snapshot-20020916

[Lim Sei Wei]

Hi

When I change that and put that in, this is the error message I get


auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Sending Access-Reject of id 58 to 10.0.0.212:1812

And windows reject it straight away.


On 9/17/02 6:03 PM, "Artur Hecker" <[EMAIL PROTECTED]> wrote:

> 
> 
> Lim Sei Wei wrote:
>> 
>> I have commented all the DEFAULT authtype examples in the file and this is
>> the only entry in there
>> myuser Auth-Type = Local, User-Password == "mypassword"
>> 
> 
> yes, and that's the problem, too :-) change it to:
> 
> myuser Auth-Type := Local, User-Password == "mypassword"
> 
> and try again please.
> 
> 
> regards,
> artur
> 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Newbie, Radius and mgetty and ppp

[J. Peters \(Tropico-Network\)]

Hi,

I am quiete new with linux and still have difficulies to unserstand or find
the documentation. I have a machine with SuSE 8.0 as a dialin serve, using
mgetty  with Auto_ppp for dialin. Everything works fine, but now I want to
use RADIUS for the authetification.  How do I do that in the most simple
way?

With kind regards

Juergen Peters
General Manager
Tropico Network S. de R. L.

email: [EMAIL PROTECTED]
Tel: ++504 440 1461
Fax: ++504 443 0660




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Group reject

[Marcin Groszek]

I have install freeradius 0.7.1 on slackware 8.0 with shadow password
Installation was ok and basic functions are working.
I have experience problems wen i try to deny access to one of the groups
on the radius server
Following instruction did not help.
I try :
DEFAULT Group == "users" , Auth-Type :=Reject
DEFAULT Group == users , Auth-Type :=Reject
DEFAULT Group == "users" , Auth-Type =Reject
DEFAULT Group == users , Auth-Type =Reject
And more before:
DEFAULT  Auth-Type := System
but nothing work.
User marcin , group users was always able to authenticate.
This is a debug of the auth process:

rad_recv: Access-Request packet from host 216.168.1.38:4751, id=131,
length=81
NAS-IP-Address = 216.168.1.38
Calling-Station-Id = "204.251.93.250"
User-Name = "[EMAIL PROTECTED]"
User-Password = "\274\252\2162\275\rS+\305F.\240\007Ia"
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
rlm_realm: Looking up realm hostplus.net for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm hostplus.net
rlm_realm: Adding Stripped-User-Name = "marcin"
  rlm_realm: Proxying request from user marcin to realm hostplus.net
rlm_realm: Adding Realm = "hostplus.net"
rlm_realm:  Authentication realm is LOCAL.
rlm_realm:  auth_port is not set.  proxy cancelled
  modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 6
  modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type System
auth: type "System"
modcall: entering group authenticate
  modcall[authenticate]: module "unix" returns ok
modcall: group authenticate returns ok
Login OK: [[EMAIL PROTECTED]] (from client supernews port 0 cli
204.251.93.250)
Sending Access-Accept of id 131 to 216.168.1.38:4751
Finished request 4
Going to the next request

And one more thing.
Will i be able to limit access based on
Called-Station-id ?
If so what would be a process to set this up?




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Chaining Radius Authentication

[Chris Parker]

At 02:25 PM 9/17/2002 -0500, Ryan Parlee wrote:

>Hello,
>
>I am co-branding an ISP's existing infrastructure to create my own ISP.
>They currently use Livingston for their Radius server and I am wanting to
>use FreeRadius.  Is it possible to have authentication pass from their
>Radius server to mine?
>
>My users call in on the same phone number, so the only way to tell them
>apart is by username/password, although, it might also work to have
>different authentication methods (ie. CHAP versus PAP).  Can anyone offer
>suggestions on how to accomplish this?

Depending on the version, yes this is possible.  The auth method is
radius-server agnostic on the proxy-side.  IE, if the NAS can do both
CHAP and PAP, then both should be able to passed to your server.

The one thing to watch for is the version of Livingston Radius.  It
should be version 2.1 for this to work on their side.  Earlier versions
do not support proxy radius.

-Chris
--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Chaining Radius Authentication

[Tim D. McCracken]

Assuming that you don't have any existing users, just setup a proxy.
It is all very well documented.  Your user's just add a realm (your domain)
on the end of their username, and his server proxies to you any users
with that realm.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Ryan Parlee
Sent: Tuesday, September 17, 2002 2:26 PM
To: [EMAIL PROTECTED]
Subject: Chaining Radius Authentication



Hello,

I am co-branding an ISP's existing infrastructure to create my own ISP.
They currently use Livingston for their Radius server and I am wanting to
use FreeRadius.  Is it possible to have authentication pass from their
Radius server to mine?

My users call in on the same phone number, so the only way to tell them
apart is by username/password, although, it might also work to have
different authentication methods (ie. CHAP versus PAP).  Can anyone offer
suggestions on how to accomplish this?

Thanks, Ryan



-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Chaining Radius Authentication

[Ryan Parlee]

Hello,

I am co-branding an ISP's existing infrastructure to create my own ISP.
They currently use Livingston for their Radius server and I am wanting to
use FreeRadius.  Is it possible to have authentication pass from their
Radius server to mine?

My users call in on the same phone number, so the only way to tell them
apart is by username/password, although, it might also work to have
different authentication methods (ie. CHAP versus PAP).  Can anyone offer
suggestions on how to accomplish this?

Thanks, Ryan



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

VoIP ASR generation from Radius CDRs

[Jason Ostrom]

Hello,

I am using Freeradius for VoIP accounting CDR generation from Cisco
NAS.  I was wondering if there are any open source or commercial tools
out there for parsing detail files for ASR (Average Success Rate)
generation.

I found a python script at [1] that appears to do batch-mode analysis.
 I could use this and/or modify it, but I was also looking
 for something that did realtime (near realtime) analysis of the
 detail file.  Just looking for something so that I don't have to
 re-invent the wheel.


[1] "Wilane's Den" http://www.cyg.sn/perso/wilane/


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: internet authentication

[Tim D. McCracken]

Your application doesn't sound like a typical radius application. Sorry for
all the questions, but I think people on this list are going to need more
information about what you are trying to do.

You probably are going to have to explain your configuration in more detail.
When you say you are using radius to autheticate users to a cisco router,
what
is the model number of the router, and are you actually authenticating to
terminal server ports, management sessions, or what?
Exactly how are the users connected to the router, and why are you trying to
authenticate them to a router?

Are you using a firewall or proxy server?  If so, what kind

Your router really is just a router and not a NAS such as an Ascend MAX or
TNT,
or Cisco 5x00, or something else? And you really have no dial-up server
(NAS)
or other Network Access Server?

What is the user environment? Windows PCs, Xnix workstaions, or?

Tim


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Javier
Santos
Sent: Tuesday, September 17, 2002 11:58 AM
To: [EMAIL PROTECTED]
Subject: Re: internet authentication


I don't have dial up server.

I have a LAN conected to router


On Tue, 17 Sep 2002 10:53:55 -0600
  "Javier Santos" <[EMAIL PROTECTED]> wrote:
>I have RAIDIUS running to authentication cisco router
>users.
>
>I need to authenticate users to access internet.
>
>someone has an idea howto configure router and radius to
>do this??
>
>Thanks
>Navega con el internet gratis de Amnet! Visitar
>http://www.amnetsal.com!
>para cualquier consulta llamar al 247-8000
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html

Navega con el internet gratis de Amnet! Visitar http://www.amnetsal.com!
para cualquier consulta llamar al 247-8000

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: internet authentication

[David Payer - freeradius acct]

My first inclination is to recommend using a PROXY server to control their
access to the Internet.  Does your router support Radius authentication for
network requests?

David Payer
OMNI Internet - www.iowalink.com
550 11th St #205, Des Moines, IA 50309
515-244-6664



- Original Message -
From: "Javier Santos" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 17, 2002 11:58 AM
Subject: Re: internet authentication


> I don't have dial up server.
>
> I have a LAN conected to router
>
>
> On Tue, 17 Sep 2002 10:53:55 -0600
>   "Javier Santos" <[EMAIL PROTECTED]> wrote:
> >I have RAIDIUS running to authentication cisco router
> >users.
> >
> >I need to authenticate users to access internet.
> >
> >someone has an idea howto configure router and radius to
> >do this??
> >
> >Thanks
> >Navega con el internet gratis de Amnet! Visitar
> >http://www.amnetsal.com!
> >para cualquier consulta llamar al 247-8000
> >
> >-
> >List info/subscribe/unsubscribe? See
> >http://www.freeradius.org/list/users.html
>
> Navega con el internet gratis de Amnet! Visitar http://www.amnetsal.com!
> para cualquier consulta llamar al 247-8000
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: internet authentication

[Javier Santos]

I don't have dial up server.

I have a LAN conected to router


On Tue, 17 Sep 2002 10:53:55 -0600
  "Javier Santos" <[EMAIL PROTECTED]> wrote:
>I have RAIDIUS running to authentication cisco router 
>users.
>
>I need to authenticate users to access internet.
>
>someone has an idea howto configure router and radius to 
>do this??
>
>Thanks
>Navega con el internet gratis de Amnet! Visitar 
>http://www.amnetsal.com!
>para cualquier consulta llamar al 247-8000
>
>- 
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html

Navega con el internet gratis de Amnet! Visitar http://www.amnetsal.com!
para cualquier consulta llamar al 247-8000

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

internet authentication

[Javier Santos]

I have RAIDIUS running to authentication cisco router 
users.

I need to authenticate users to access internet.

someone has an idea howto configure router and radius to 
do this??

Thanks
Navega con el internet gratis de Amnet! Visitar http://www.amnetsal.com!
para cualquier consulta llamar al 247-8000

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: R: R: radius.conf

[Marius Cabas]

I try to install OpenLDAP on a Windows machine but I get the following error:
"c:\OpenLDAP\sysconf\slapd.conf: No such file or directory". How can I change the 
slapd.conf file path?


_
Play the Elvis® Scratch & Win for your chance to instantly win $10,000 Cash
- a 2003 Harley Davidson® Sportster® - 1 of 25,000 CD's - and more!
http://r.lycos.com/r/sagel_mail_scratch_tl/http://win.ipromotions.com/lycos_020801/index.asp?tc=7087
 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MacOS X & FreeRADIUS (yet again)

[Spike Ilacqua]

>   No, that won't help.  You should also comment out the 'passwd',
> 'shadow', and 'group' configurations, too.

And, if you aren't already, you may need to run radiusd as "root".
BSD based systems use an automatic password shadowing setup.  If
getpwent() is call as root, the shadow file is read and the password
is returned in the passwd struct.  If a normal user calls getpwent(),
"*" is always retruned for the password.

->Spike


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Stale ISDN connections on Cisco 5300

[Iasonas Charalambous]

Hi,

I am using Freeradius-0.7 on a linux machine. My access servers are Cisco 
5300. I have noticed that in the case of the stale ISDN 
connections  "checkrad" does not work very well. For instance an ISDN stale 
connection cannot be detected immediately by checkrad. The problem seems to 
be the "snmpwalk" command in "checkrad" (shown below) that checks the "isdn 
history" on the access server instead of the actual connected isdn users. 
The isdn history on a C5300 can keep disconnected isdn calls for a maximum 
of 15 minutes. If a stale user tries to reconnect  within 15 minutes of his 
disconnection  he will be rejected. Any ideas how to solve this problem?


if($login eq $ARGV[3]) {
 return 1;
 }else{
   $out=`$snmpwalk $ARGV[1] $pass 
.iso.org.dod.internet.private.enterprises.9.9.27.1.1.3.1.7`;
 if($out=~/\"$ARGV[3]\"/){
 return 1;
 }else{
 return 0;
 }


Iasonas
___
Iasonas Charalambousemail: [EMAIL PROTECTED]

CYPRUS TELECOM. AUTHORITY   FAX: + 357 2 486634
Value Added Serviceswww: http://www.cytanet.com.cy
Telecommunications Str
P.O.Box 24929, CY-1396
Nicosia, Cyprus 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: R: R: radius.conf

[Artur Hecker]

hi

> Here is my user in /etc/passwd
> 
> demo:*:1906:100:demo:/home/ftp/./:/etc/notelnet
> 
> until know the user config file, is the user.sample with no change

can you login locally with the password you used? does radius read both
/etc/passwd AND /etc/shadow? i can't see it in the log since you
truncated it.


> rlm_unix: [demo]: invalid password
>   modcall[authenticate]: module "unix" returns reject
> modcall: group authenticate returns reject
> auth: Failed to validate the user.


ciao
artur


-- 
Artur Hecker Groupe Accès et Mobilité
hecker[at]enst[dot]fr Département Informatique et Réseaux
+33 1 45 81 750746, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr  ENST Paris

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP/PAP Authentication

[Shawn O'Shea]

Auth-Type can be an arbitrary value. I use something like this to make
chap or pap available to the same set of users:

in users:
DEFAULT Auth-Type := CHAPPAP
   

in authenticate block radiusd.conf:
authtype CHAPPAP {
chap
pap
}

-Shawn


On Tue, 17 Sep 2002, ho k wrote:

> Hi
>
> Hi
> How can the user profile be set such that the PAP or
> CHAP call may be vertified.
> If I used:
>
>
> DEFAULT  Auth-Type := PAP
> Fall-Through = 1
>
> the debug output is:
>
> modcall: group authorize returns ok
> rad_check_password:  Found Auth-Type PAP
> auth: type "PAP"
> modcall: entering group authtype
> rlm_pap: Attribute "Password" is required for
> authentication. Cannot use "CHAP-Password".
> modcall[authenticate]: module "pap" returns invalid
> modcall: group authtype returns invalid
> auth: Failed to validate the user.
>
> for CHAP user.
>
> Regards
> K
>
>
> ___
> Do You Yahoo!?
> Get your free @yahoo.com.hk address at http://mail.english.yahoo.com.hk
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>


Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

R: R: radius.conf

[Gian-Carlo Baldarelli]

Ok i commented out some parts of the radius.conf

( no proxy )

Here is my user in /etc/passwd

demo:*:1906:100:demo:/home/ftp/./:/etc/notelnet

until know the user config file, is the user.sample with no change

...

modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
rlm_realm: Looking up realm NULL for User-Name = "demo"
rlm_realm: No such realm NULL
  modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 152
  modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type System
auth: type "System"
modcall: entering group authenticate
rlm_unix: [demo]: invalid password
  modcall[authenticate]: module "unix" returns reject
modcall: group authenticate returns reject
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 217 to 127.0.0.1:3315
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 217 with timestamp 3d872403
Nothing to do.  Sleeping until we see a request

-Messaggio originale-
Da: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]Per conto di Artur
Hecker
Inviato: martedi 17 settembre 2002 11.58
A: [EMAIL PROTECTED]
Oggetto: Re: R: radius.conf


hi


> I must apologize for this, I din't realize immediately that would be a
> problem, sorry.
>
> I read the radius.conf, but I don't understand it, I mean
> I don't understand if I need only unix/etc/passwd i must configure all
> other stuff
> as:
> acct_users
> huntgroups
> clients.conf
> users
> dictionary
> hints
> realms

so, just comment out everything you don't need in the radiusd.conf, it's
organized in modules.

> 
> and the following error ??
> rlm_realm: Looking up realm NULL for User-Name = "demo"
> what does it mean ??

it means that the proxying module takes the user "demo", looks up the
preconfigured suffix in it, doesn't find any, thus sets the realm part
of the user name to NULL (empty, nothing) and do not proxy the request
since such a realm is not configured. it's not really an error. e.g.
demo@foo would have produced the same but with realm "foo" since @ is a
configured suffix. just deactivate proxying if you don't need all that.


> I nead real configurations whether I use unix passwd ?
>
> log ---> doing the test:radtest demo demo localhost 0 testing123
>
> Ready to process requests.
> rad_recv: Access-Request packet from host 127.0.0.1:2915, id=255,
length=53
> User-Name = "demo"
> User-Password = "Nq\365\213\316\t\374U\3122n~dc2\323"
> NAS-IP-Address = 255.255.255.255
> NAS-Port-Id = "0"
> modcall: entering group authorize
>   modcall[authorize]: module "preprocess" returns ok
> rlm_realm: Looking up realm NULL for User-Name = "demo"
> rlm_realm: No such realm NULL
>   modcall[authorize]: module "suffix" returns noop
> users: Matched DEFAULT at 152
>   modcall[authorize]: module "files" returns ok
> modcall: group authorize returns ok
>   rad_check_password:  Found Auth-Type System
> auth: type "System"
> modcall: entering group authenticate
> rlm_unix: [demo]: invalid password
>   modcall[authenticate]: module "unix" returns reject
> modcall: group authenticate returns reject
> auth: Failed to validate the user.

sure that the password of your user "demo" IS "demo"? does the user
exist? please post the user configuration.


ciao
artur


--
Artur Hecker
artur[at]hecker.info

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_sqlcounter.c in CVS

[Kostas Kalevras]

On Tue, 17 Sep 2002, Alan DeKok wrote:

> Andrea Gabellini <[EMAIL PROTECTED]> wrote:
> > If I use a query string greater than 256 I got a Segmentation fault, but if
> > I use a query minor than 256 it works well.
>
>   That should be a simple bug to fix.
>
> > Debugging the code I notice that the problem is in the sqlcounter_authorize
> > when it call the radius_xlat funcion on line 512.
>
>   Hmm.. it uses MAX_QUERY_LEN, which is 4096.  Can you email a
> backtrace from gdb to the list (or the -devel list, probably).  See
> 'doc/bugs' for more information.
>
>   It sounds like *something* isn't checking buffer sizes, and there's
> no way of tellling without a back trace.
>
>   Alan DeKok.

See

http://lists.cistron.nl/archives/freeradius-devel/2002/09/msg00091.html

and

http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg09243.html

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MacOS X & FreeRADIUS (yet again)

[Alan DeKok]

Scott Silzer <[EMAIL PROTECTED]> wrote:
> I don't think that system based auth will work in OSX as it uses 
> netinfo for most of its internal AAA, however LDAP,  xSQL and flat/db 
> files should work.

  The use of 'netinfo' shouldn't be a problem.  Many systems use yp to
store passwords, and there's no yp code in the server.  All that
matters is that the system's "getpwent" function ends up calling the
Right Thing.

  Then, any application can just use getpwent(), and it will Just
Work, on all the platforms.

  Alan DeKok,

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_sqlcounter.c in CVS

[Alan DeKok]

Andrea Gabellini <[EMAIL PROTECTED]> wrote:
> If I use a query string greater than 256 I got a Segmentation fault, but if 
> I use a query minor than 256 it works well.

  That should be a simple bug to fix.

> Debugging the code I notice that the problem is in the sqlcounter_authorize 
> when it call the radius_xlat funcion on line 512.

  Hmm.. it uses MAX_QUERY_LEN, which is 4096.  Can you email a
backtrace from gdb to the list (or the -devel list, probably).  See
'doc/bugs' for more information.

  It sounds like *something* isn't checking buffer sizes, and there's
no way of tellling without a back trace.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Radius Server Can't Authnticate Login

[Ahmad S. Taneo]

Hi!!!

I am using freeradius-7.0  in a redhat 7.2 kernel of linux. I have
successfully installed freeeradius and binded it to ldap. My problem is
when i tried testing the radius server as a dial in server for remote
pc, the portslave recognizes incoming call but somehow can't
authenticate the login process. but when testing raidius server it gives
an "Access-Accept" to the binded ldap server. I have checked log for
radius and it seems it doesn't give any information at all. It's just
that the connection died  somehow. I would appreciate any help you can
give me from anyone of you out there..

ahmadz


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MacOS X & FreeRADIUS (yet again)

[Alan DeKok]

Philip Kearney <[EMAIL PROTECTED]> wrote:
> I set cache = no in radiusd.conf and then did radiusd -X

  No, that won't help.  You should also comment out the 'passwd',
'shadow', and 'group' configurations, too.

  If it still doesn't work, then from a shell, do 'man getpwent', and
mail the results to the list.  Or, if you're feeling adventurous,
install ssh, and give me a user account.  I should be able to find 15
minutes to poke around the system.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AAA???

[Chris Parker]

At 11:48 AM 9/17/2002 +0300, Peter Nixon wrote:
>On Wed, 7 Aug 2002 10:42:35 +0400
>"Alexander M. Pravking" <[EMAIL PROTECTED]> wrote:
>
> > On Wed, Aug 07, 2002 at 12:18:20PM +0700, Yury Bokhoncovich wrote:
> > > Hi!
> > >
> > > On Wed, 7 Aug 2002, äÉÎÁÒ wrote:
> > >
> > > > Is it possible to make AAA(Authorization, Authentication, Accounting)
> > >
> > > Sure. I've got that beast on with our Pg (7.2.1 at the momemt).
> > > I don't recommended to use versions lesser than 7.0.1.
> > > IIRC there is problem with timestamp format in sql.conf or so.
> >
> > You should probably use raddb/postgresql.conf,
> > but timestamp processing there seems incorrect for me too,
> > along with some other things.
> >
> > BTW, who does maintain raddb/*sql.conf?
> > I see no $Id$ there.
>
>Good question! Where do we send patches/fixes?

The freeradius-devel list is probably the best place.

http://www.freeradius.org/development.html

-Chris

--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Fail to Start

[Ruslan Balkin]

On Tue, 17 Sep 2002 18:38:24 +0800 (CST)
ho k wrote:

> Hi
> I cannot run freeradius in backgroud. Everything seems
> alright after enter "radiusd"
> 
> # ./radiusd
radiusd &
?

-- 
Balkin Ruslan

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Fail to Start

[ho k]

Hi
I cannot run freeradius in backgroud. Everything seems
alright after enter "radiusd"

# ./radiusd
Tue Sep 17 18:34:01 2002 : Info: Starting - reading
configuration files ...

I have already commented out 

user = root
group = nobody

in radiusd.conf

Regards
K

___
Do You Yahoo!?
Get your free @yahoo.com.hk address at http://mail.english.yahoo.com.hk

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

CHAP/PAP Authentication

[ho k]

Hi

Hi
How can the user profile be set such that the PAP or
CHAP call may be vertified.
If I used:


DEFAULT  Auth-Type := PAP
Fall-Through = 1

the debug output is:

modcall: group authorize returns ok
rad_check_password:  Found Auth-Type PAP
auth: type "PAP"
modcall: entering group authtype
rlm_pap: Attribute "Password" is required for
authentication. Cannot use "CHAP-Password".
modcall[authenticate]: module "pap" returns invalid
modcall: group authtype returns invalid
auth: Failed to validate the user.

for CHAP user.

Regards
K  


___
Do You Yahoo!?
Get your free @yahoo.com.hk address at http://mail.english.yahoo.com.hk

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_sqlcounter.c in CVS

[Kostas Kalevras]

On Tue, 17 Sep 2002, Andrea Gabellini wrote:

> Hi,
>
> I'm using the sqlcounter version of the latest CVS because I need more than
> 256 characters in the query string.
>
> If I use a query string greater than 256 I got a Segmentation fault, but if
> I use a query minor than 256 it works well.
>
> Debugging the code I notice that the problem is in the sqlcounter_authorize
> when it call the radius_xlat funcion on line 512.
>
> I'm searching a workaround without luck. Can you help me?
>
> Andrea

This is a bug in the xlat function. Unfortunately, there's no fix yet.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Windows XP/Cisco Catalyst/freeradius-snapshot-20020916

[Artur Hecker]

Lim Sei Wei wrote:
> 
> I have commented all the DEFAULT authtype examples in the file and this is
> the only entry in there
> myuser Auth-Type = Local, User-Password == "mypassword"
> 

yes, and that's the problem, too :-) change it to:

myuser Auth-Type := Local, User-Password == "mypassword"

and try again please.


regards,
artur


-- 
Artur Hecker
artur[at]hecker.info

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: R: radius.conf

[Artur Hecker]

hi


> I must apologize for this, I din't realize immediately that would be a
> problem, sorry.
> 
> I read the radius.conf, but I don't understand it, I mean
> I don't understand if I need only unix/etc/passwd i must configure all
> other stuff
> as:
> acct_users
> huntgroups
> clients.conf
> users
> dictionary
> hints
> realms

so, just comment out everything you don't need in the radiusd.conf, it's
organized in modules.

> 
> and the following error ??
> rlm_realm: Looking up realm NULL for User-Name = "demo"
> what does it mean ??

it means that the proxying module takes the user "demo", looks up the
preconfigured suffix in it, doesn't find any, thus sets the realm part
of the user name to NULL (empty, nothing) and do not proxy the request
since such a realm is not configured. it's not really an error. e.g.
demo@foo would have produced the same but with realm "foo" since @ is a
configured suffix. just deactivate proxying if you don't need all that.


> I nead real configurations whether I use unix passwd ?
> 
> log ---> doing the test:radtest demo demo localhost 0 testing123
> 
> Ready to process requests.
> rad_recv: Access-Request packet from host 127.0.0.1:2915, id=255, length=53
> User-Name = "demo"
> User-Password = "Nq\365\213\316\t\374U\3122n~dc2\323"
> NAS-IP-Address = 255.255.255.255
> NAS-Port-Id = "0"
> modcall: entering group authorize
>   modcall[authorize]: module "preprocess" returns ok
> rlm_realm: Looking up realm NULL for User-Name = "demo"
> rlm_realm: No such realm NULL
>   modcall[authorize]: module "suffix" returns noop
> users: Matched DEFAULT at 152
>   modcall[authorize]: module "files" returns ok
> modcall: group authorize returns ok
>   rad_check_password:  Found Auth-Type System
> auth: type "System"
> modcall: entering group authenticate
> rlm_unix: [demo]: invalid password
>   modcall[authenticate]: module "unix" returns reject
> modcall: group authenticate returns reject
> auth: Failed to validate the user.

sure that the password of your user "demo" IS "demo"? does the user
exist? please post the user configuration.


ciao
artur


-- 
Artur Hecker
artur[at]hecker.info

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MacOS X & FreeRADIUS (yet again)

[Scott Silzer]

I don't think that system based auth will work in OSX as it uses 
netinfo for most of its internal AAA, however LDAP,  xSQL and flat/db 
files should work. Sorry I cant provide more but I'm still correcting 
a number of problems caused by the move to 10.2.


Snip from /etc/passwd ( OS 10.2 )
##
# User Database
#
# Note that this file is consulted when the system is running in single-user
# mode.  At other times this information is handled by lookupd.  By default,
# lookupd gets information from NetInfo, so this file will not be consulted
# unless you have changed lookupd's configuration.
##


At 01:57 -0700 09/17/2002, Philip Kearney wrote:
>On 9/16/02 1:38 PM, "Alan DeKok" <[EMAIL PROTECTED]> wrote:
>
>>  Philip Kearney <[EMAIL PROTECTED]> wrote:
>>>  Okay...I managed to get FreeRADIUS 0.7.1 to compile under MacOS X.
>>
>>  That's just made my day.
>>
>>>  With these changes, the make succeeded so I ran make install and everything
>>>  installed into /usr/local/.
>>
>>  We'll try to get these changes in before the release of 0.8.
>>
>>>  I now have radiusd made and installed at /usr/local/radiusd, but 
>>>it seems to
>>>  have real problems with some of the MacOS X configuration files like
>>>  /etc/passwd, /etc/groups, etc.
>>
>>  Then don't cache them.  Just comment out the lines, like it says to
>>  do for FreeBSD.  It should then work.
>
>Alan,
>
>I set cache = no in radiusd.conf and then did radiusd -X
>
>And I see at the end of all the output...
>
>Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on
>1814/udp.
>Ready to process requests.
>
>"Looks promising", I think to myself. So I do "radtest test test localhost 0
>testing123"
>
>And then I see...
>
>rad_recv: Access-Request packet from host 127.0.0.1:49805, id=77, length=53
> User-Name = "test"
> User-Password = "%\334\277\033r3\321.\3658w|\276\307\221\210"
> NAS-IP-Address = 255.255.255.255
> NAS-Port-Id = "0"
>modcall: entering group authorize
>   modcall[authorize]: module "preprocess" returns ok
> rlm_realm: Looking up realm NULL for User-Name = "test"
> rlm_realm: No such realm NULL
>   modcall[authorize]: module "suffix" returns noop
> users: Matched DEFAULT at 152
>   modcall[authorize]: module "files" returns ok
>modcall: group authorize returns ok
>   rad_check_password:  Found Auth-Type System
>auth: type "System"
>modcall: entering group authenticate
>   modcall[authenticate]: module "unix" returns notfound
>modcall: group authenticate returns notfound
>auth: Failed to validate the user.
>Delaying request 0 for 1 seconds
>Finished request 0
>Going to the next request
>--- Walking the entire request list ---
>Waking up in 1 seconds...
>Segmentation fault
>[pktibook:/usr/local/sbin] root%
>
>
>So radiusd receives the request, fails to validate the user, finishes the
>request and then eventually seg faults.  Don't know why that is yet,
>probably because I haven't really configured radiusd yet other than turning
>caching off like you suggested.  But it compiles and runs (once) right now
>under MacOS X with those tweaks I mentioned in my last message to the list.
>
>It's progress!  :-)
>
>PK
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Scott Silzer
[EMAIL PROTECTED]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_sql crashing the rest of FreeRadius

[Kostas Kalevras]

On Tue, 17 Sep 2002, Peter Nixon wrote:

> Hi Guys
>
> I have a question regarding the rlm_sql module crashing the rest of
> FreeRadius. Below I have a selection from my logs. You can see that in the
> space of 12 seconds my server shot itself in the head simply because it
> didn't have enough DB handles. This has happened repeatedly over the last
> few nights (since I switches this server from mysql to postgres). The
> answer is obviously simple (increase the number of DB handles..) which I
> have been doing each day, but our traffic has been increasing at a rapid
> rate. My question is why is the rlm_sql module allowed to kill the server?
> shouldn't the server still keep logging to the detail files even if the DB
> is too busy? not just die messily? Luckily I have 2 more failover servers
> still running mysql to to take the accounting traffic when this one dies.
>
> I would appreciate some comments from coders on why this happens, and if
> there are any plans on fixing this? I am not a c programmer although I am
> passable at perl so this is a bit beyond my skills to fix, but as I stated
> in several previous posts I am intending on releasing my complete
> FreeRadius based accounting system when it is complete, so please don't
> think I am just whinging here without any effort on my part.

This bug has been fixed in latest CVS snapshots.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Linux RedHat Shell Scripting

[Artur Hecker]

hi

i don't know much about this issues but thinking about what you could
want to do, i guess that it would be a better solution to use some
back-end database with freeradius (sql, ldap), to log all accounting
etc. in this database and to comfortably use database operations to
extract whatever you want then. you want to analyze user information,
the log file of the server is rather meant for analyzing server
operations...

ciao
artur




Nicholas Sim wrote:

> Recently, we were running some tests on the freeradius server. We managed to
> obtain a log file. The log file contains the user log in information. But
> now, we are still finding a way to obtain  a seperate log file between the
> successful logins and the unsuccessful logins. Anyone out there know how to
> do it?
> One reply was to use shell scripting...but I have no knowledge of such
> programmingPlease help

-- 
Artur Hecker
artur[at]hecker.info

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Windows XP/Cisco Catalyst/freeradius-snapshot-20020916

[Lim Sei Wei]

I have commented all the DEFAULT authtype examples in the file and this is
the only entry in there
myuser Auth-Type = Local, User-Password == "mypassword"


 9/17/02 5:32 PM, "Artur Hecker" <[EMAIL PROTECTED]> wrote:

> hi
> 
> if i understood correctly, you use local authentication with eap, i.e.
> by some file. can you please post the configuration of the concerned
> user in the radius "users" file?
> 
> 
>> When I try to authenticate through windows XP Local area connection popup
>> dialog, it refuses authentication straight away.
>> 
>> modcall: entering group authorize
>>   modcall[authorize]: module "preprocess" returns ok
>>   modcall[authorize]: module "eap" returns updated
>>   modcall[authorize]: module "files" returns notfound
>> modcall: group authorize returns updated
>>   rad_check_password:  Found Auth-Type EAP
>> auth: type "EAP"
>> modcall: entering group authenticate
>> rlm_eap: Request found, released from the list
>> rlm_eap: EAP_TYPE - md5
>> rlm_eap: processing type md5
>> 
>> rlm_eap_md5: No password configured for this user
>> 
>> modcall[authenticate]: module "eap" returns invalid
>> modcall: group authenticate returns invalid
>> auth: Failed to validate the user.
>> Sending Access-Reject of id 56 to 10.0.0.212:1812
>> EAP-Message = "\0048\000\004"
>> Message-Authenticator = 0x
>> Finished request 2
> 
> if we don't get this with the config, we'll have to sniff traffic. a
> firmware update is always a good idea especially if it is older than
> 12-16 monthes.
> 
> 
> ciao
> artur
> 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_sql crashing the rest of FreeRadius

[Peter Nixon]

Hi Guys

I have a question regarding the rlm_sql module crashing the rest of
FreeRadius. Below I have a selection from my logs. You can see that in the
space of 12 seconds my server shot itself in the head simply because it
didn't have enough DB handles. This has happened repeatedly over the last
few nights (since I switches this server from mysql to postgres). The
answer is obviously simple (increase the number of DB handles..) which I
have been doing each day, but our traffic has been increasing at a rapid
rate. My question is why is the rlm_sql module allowed to kill the server?
shouldn't the server still keep logging to the detail files even if the DB
is too busy? not just die messily? Luckily I have 2 more failover servers
still running mysql to to take the accounting traffic when this one dies.

I would appreciate some comments from coders on why this happens, and if
there are any plans on fixing this? I am not a c programmer although I am
passable at perl so this is a bit beyond my skills to fix, but as I stated
in several previous posts I am intending on releasing my complete
FreeRadius based accounting system when it is complete, so please don't
think I am just whinging here without any effort on my part.


Mon Sep 16 19:22:18 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:18 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:18 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:18 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:18 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:18 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:18 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:19 2002 : Error: rlm_sql: All sockets are being used!
Please increase the maximum number of sockets!
Mon Sep 16 19:22:20 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:20 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:20 2002 : Error: WARNING: Unresponsive child (id 163842)
for request 25043
Mon Sep 16 19:22:20 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:20 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:20 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:20 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:20 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:20 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:21 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:21 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:21 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:21 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:21 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:21 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:21 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:21 2002 : Error: rlm_sql:  Stop packet with zero session
length.  (user '240', nas '212.50.53.201')
Mon Sep 16 19:22:22 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:22 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:22 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:23 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:23 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:23 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:23 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:23 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:23 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:23 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:23 2002 : Error: rlm_sql: All sockets are being used!
Please increase the maximum number of sockets!
Mon Sep 16 19:22:24 2002 : Error: rlm_sql: All sockets are being used!
Please increase the maximum number of sockets!
Mon Sep 16 19:22:25 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:25 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:25 2002 : Error: rlm_sql:  Stop packet with zero session
length.  (user '240', nas '212.50.53.201')
Mon Sep 16 19:22:25 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:25 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:25 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:25 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:25 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:26 2002 : Error: rlm_sql:  There are no DB handles to use!
Mon Sep 16 19:22:26 2002 : Error: rlm_sql:

rlm_sqlcounter.c in CVS

[Andrea Gabellini]

Hi,

I'm using the sqlcounter version of the latest CVS because I need more than 
256 characters in the query string.

If I use a query string greater than 256 I got a Segmentation fault, but if 
I use a query minor than 256 it works well.

Debugging the code I notice that the problem is in the sqlcounter_authorize 
when it call the radius_xlat funcion on line 512.

I'm searching a workaround without luck. Can you help me?

Andrea


---
COFFEE.EXE Missing---Insert Cup and Press Any Key.
---
Ing. Andrea Gabellini
Email: [EMAIL PROTECTED]
Tel: 0549 886111 (Italy)
Tel. +378 0549 886111 (International)

Intelcom San Marino S.p.A.
Strada degli Angariari, 3
47891 Rovereta
Repubblic of San Marino

http://www.omniway.sm  http://www.intelcom.sm


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: logging passwords

[Artur Hecker]

Frank Cusack wrote:
> 
> On Tue, Sep 17, 2002 at 09:39:14AM +0800, Nicholas Sim wrote:
> > We manage to log the user but not the password of the user, even though
> > we put 'yes' to all of the attributes in the radius.conf.
> >
> > Wed Aug 14 21:57:16 2002 : Auth: Login incorrect: [william/ > attribute>] (from client private-network-1 port 37 cli 00082131a705)
> >
> > Why?
> 
> If the user is authenticating via CHAP the password is not available.  The
> log message seems to indicate that this is the case, but you can be sure
> by doing radiusd -X to see how the user authenticated.

Frank, you are of course right talking about the problem itself however
it's not actually CHAP in that case, it's EAP/MD5 according to the
question. EAP/MD5 is pretty much the same though there are major
differencies in the real produced network packets. anyway, the idea _IS_
the same: the password is not available in clear on the wire or on the
mid-way, i.e. proxy etc. One of the differencies between CHAP and
EAP/MD5 is the production of the challenge: as far as i know, in the
CHAP case it's NAS which generates challenges. with EAP/MD5 it's
freeradius.

Nicholas: on the mid-way they only see MD5 hashes of
challenges+passwords. only the authentication ends know the passwords
and could log them, but this is kind of completely useless, just look it
up in the config file.


ciao
artur


-- 
Artur Hecker
artur[at]hecker.info

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Windows XP/Cisco Catalyst/freeradius-snapshot-20020916

[Artur Hecker]

hi

if i understood correctly, you use local authentication with eap, i.e.
by some file. can you please post the configuration of the concerned
user in the radius "users" file?


> When I try to authenticate through windows XP Local area connection popup
> dialog, it refuses authentication straight away.
> 
> modcall: entering group authorize
>   modcall[authorize]: module "preprocess" returns ok
>   modcall[authorize]: module "eap" returns updated
>   modcall[authorize]: module "files" returns notfound
> modcall: group authorize returns updated
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
> modcall: entering group authenticate
> rlm_eap: Request found, released from the list
> rlm_eap: EAP_TYPE - md5
> rlm_eap: processing type md5
> 
> rlm_eap_md5: No password configured for this user
> 
> modcall[authenticate]: module "eap" returns invalid
> modcall: group authenticate returns invalid
> auth: Failed to validate the user.
> Sending Access-Reject of id 56 to 10.0.0.212:1812
> EAP-Message = "\0048\000\004"
> Message-Authenticator = 0x
> Finished request 2

if we don't get this with the config, we'll have to sniff traffic. a
firmware update is always a good idea especially if it is older than
12-16 monthes.


ciao
artur


-- 
Artur Hecker
artur[at]hecker.info

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MacOS X & FreeRADIUS (yet again)

[Philip Kearney]

On 9/16/02 1:38 PM, "Alan DeKok" <[EMAIL PROTECTED]> wrote:

> Philip Kearney <[EMAIL PROTECTED]> wrote:
>> Okay...I managed to get FreeRADIUS 0.7.1 to compile under MacOS X.
> 
> That's just made my day.
> 
>> With these changes, the make succeeded so I ran make install and everything
>> installed into /usr/local/.
> 
> We'll try to get these changes in before the release of 0.8.
> 
>> I now have radiusd made and installed at /usr/local/radiusd, but it seems to
>> have real problems with some of the MacOS X configuration files like
>> /etc/passwd, /etc/groups, etc.
> 
> Then don't cache them.  Just comment out the lines, like it says to
> do for FreeBSD.  It should then work.

Alan,

I set cache = no in radiusd.conf and then did radiusd -X

And I see at the end of all the output...

Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on
1814/udp.
Ready to process requests.

"Looks promising", I think to myself. So I do "radtest test test localhost 0
testing123"

And then I see...

rad_recv: Access-Request packet from host 127.0.0.1:49805, id=77, length=53
User-Name = "test"
User-Password = "%\334\277\033r3\321.\3658w|\276\307\221\210"
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = "0"
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
rlm_realm: Looking up realm NULL for User-Name = "test"
rlm_realm: No such realm NULL
  modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 152
  modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type System
auth: type "System"
modcall: entering group authenticate
  modcall[authenticate]: module "unix" returns notfound
modcall: group authenticate returns notfound
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
Segmentation fault
[pktibook:/usr/local/sbin] root%


So radiusd receives the request, fails to validate the user, finishes the
request and then eventually seg faults.  Don't know why that is yet,
probably because I haven't really configured radiusd yet other than turning
caching off like you suggested.  But it compiles and runs (once) right now
under MacOS X with those tweaks I mentioned in my last message to the list.

It's progress!  :-)

PK


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AAA???

[Peter Nixon]

On Wed, 7 Aug 2002 10:42:35 +0400
"Alexander M. Pravking" <[EMAIL PROTECTED]> wrote:

> On Wed, Aug 07, 2002 at 12:18:20PM +0700, Yury Bokhoncovich wrote:
> > Hi!
> > 
> > On Wed, 7 Aug 2002, äÉÎÁÒ wrote:
> > 
> > > Is it possible to make AAA(Authorization, Authentication, Accounting)
> > 
> > Sure. I've got that beast on with our Pg (7.2.1 at the momemt).
> > I don't recommended to use versions lesser than 7.0.1.
> > IIRC there is problem with timestamp format in sql.conf or so.
> 
> You should probably use raddb/postgresql.conf,
> but timestamp processing there seems incorrect for me too,
> along with some other things.
> 
> BTW, who does maintain raddb/*sql.conf?
> I see no $Id$ there.

Good question! Where do we send patches/fixes?


-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc

"They that can give up essential liberty to obtain a little
 temporary safety, deserve neither liberty nor safety."
  -Benjamin Franklin



msg09356/pgp0.pgp
Description: PGP signature

Re: mysql scheme

[Peter Nixon]

On Thu, 29 Aug 2002 14:21:35 -0400
Hernan <[EMAIL PROTECTED]> wrote:

> Steve:
> 
> I tried your sintax and it worked fine but when i do a 
> describe radacct
> i only get | h323_remote_address | varchar(15) ,do you know 
> if this
> is enough data to receive the  h323_remote_address  input 
> from radiusd
> in the mysqld?
>
> The parameter in the detail file is  h323remoteaddress and 
> the field
>  in the database is h323_remote_address ,do you know if this 
> diference
> could  bring any trouble?
> 
> Thanks in advance
> Hernan

I have a comprehensive sql.conf and DB schema for accounting cisco VOIP
traffic if you want it. I have now switched (in the last week) to Postgres
however due to its better handling of date formats (allowing you to do
sorts on h323setuptime etc. It also handles views which makes writing
frontends to the data much simpler.

Would the list be interested in my changes to both sql.conf and
postgresql.conf and my new schemas? If not I may setup a SF project to
handle it.

Cheers

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc

"They that can give up essential liberty to obtain a little
 temporary safety, deserve neither liberty nor safety."
  -Benjamin Franklin



msg09355/pgp0.pgp
Description: PGP signature

Re: Linux RedHat Shell Scripting

[Kostas Kalevras]

On Tue, 17 Sep 2002, Nicholas Sim wrote:

> Dear all,
>
> Recently, we were running some tests on the freeradius server. We managed to
> obtain a log file. The log file contains the user log in information. But
> now, we are still finding a way to obtain  a seperate log file between the
> successful logins and the unsuccessful logins. Anyone out there know how to
> do it?
> One reply was to use shell scripting...but I have no knowledge of such
> programmingPlease help
>
> Thank you
>
>
> _
> Join the world’s largest e-mail service with MSN Hotmail.
> http://www.hotmail.com

You can look in dialup_admin. In the bin directory there is log_badlogins
(perl script) which will log failed logins in the radacct table in mysql. If
you are using mysql for accounting then you can use it.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

R: radius.conf

[Gian-Carlo Baldarelli]

I must apologize for this, I din't realize immediately that would be a
problem, sorry.

I read the radius.conf, but I don't understand it, I mean
I don't understand if I need only unix/etc/passwd i must configure all
other stuff
as:
acct_users
huntgroups
clients.conf
users
dictionary
hints
realms


and the following error ??
rlm_realm: Looking up realm NULL for User-Name = "demo"
what does it mean ??
I nead real configurations whether I use unix passwd ?


log ---> doing the test:radtest demo demo localhost 0 testing123

Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:2915, id=255, length=53
User-Name = "demo"
User-Password = "Nq\365\213\316\t\374U\3122n~dc2\323"
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = "0"
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
rlm_realm: Looking up realm NULL for User-Name = "demo"
rlm_realm: No such realm NULL
  modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 152
  modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type System
auth: type "System"
modcall: entering group authenticate
rlm_unix: [demo]: invalid password
  modcall[authenticate]: module "unix" returns reject
modcall: group authenticate returns reject
auth: Failed to validate the user.



-Messaggio originale-
Da: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]Per conto di Alan DeKok
Inviato: lunedì 16 settembre 2002 16.08
A: [EMAIL PROTECTED]
Oggetto: Re: radius.conf


"Gian-Carlo Baldarelli" <[EMAIL PROTECTED]> wrote:
> ## radiusd.conf   -- FreeRADIUS server configuration file.

  That's nice.  You didn't read it, but you posted the entire thing to
the list.

  And it's obvious you edited it.  So you're either running an older
version of the server, in which case you should upgrade, OR, you've
edited it to delete the comments which tell you how to solve your
problem.

  I have no clue why you would do that.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html